A new security vulnerability identified as “SideStepper” attack has emerged as a threat to Apple smartphones controlled by Mobile Device Management (MDM) programs.
According to reports, the vulnerability made inroads in the MDM-controlled iOS devices because of the flexibility Apple allows on its Enterprise Program. In its iOS enterprise offering, Apple lets corporates sign up, develop, and install professional apps usually for their internal use. However, Apple merely provides a platform for them to work on but doesn’t host or approve these apps.
Enterprise apps created in iOS platform enjoy lesser of security constraints when compared to iOS 9 platform, where device owners are repeatedly warned against installing malicious apps – even if a download is initiated accidentally. However, the iOS enterprise apps administered under a device management software don’t have to go through such rigorous procedures which is why SideStepper has been able to gain a footing in this ecosystem.
According to Check Point, the security firm that first discovered the vulnerability, SideStepper downloads itself in a victim’s device through phishing links and, once in, manipulates the communication between the MDM and the endpoint devices. It waits for a MDM server command and masquerades the original communication with its own to launch a Man-In-The-Middle (MITM)
attack on target devices.
This makes it possible for the attackers to steal enterprise data and tamper an ongoing correspondence without the victims’ knowledge. Unless an organization performs a multi-pronged security analysis on all connected devices and the MDM servers, network users will remain clueless about the SideStepper vulnerability because it shows no visible symptoms.
Although Apple is trying to pass the buck on MDM vendors for this vulnerability, industry experts claim that it is a result of the security loopholes that the company overlooked in its enterprise program. However, Apple does insist users to install apps – that it vets and approves – only through the Apple Store.
This is not the first time that iOS enterprise platform has become a subject of security attack. In 2014, Wirelurker malware exploited Apple’s enterprise platform to install unauthorized and malicious apps on infected devices.
At present, Apple has offered no solutions for curbing the effect of SideStepper attack, primarily because it’s not a malware which can be thwarted through a security patch.